Pages

Tuesday, April 30, 2013

NOTE: As of 5-3-13, 19:30 CDT the issues identified in this post with this update have been resolved. The link now takes one to the September 27th, 2012 version updated to the new HTML format.

Yesterday I
was kind of surprised when ICS-CERT published an update to the Ruggedcom
Advisory that was news before the original advisory was published. Today, I am
more than surprised; I am more than a little concerned because ICS-CERT re-published
as new an update to the SHAMOON JSAR that was originally
published last September.

Now this could just be a problem of updating all of the old
.PDF alerts to the new .HTML model, but today’s publication certainly claims
that the date for the –A update is April 30th, 2013 not September 27th,
2012.

Now there was a second
update to this advisory published last October. As I noted in that earlier
blog post the second update was not that impressive, but it did provide some
new information. That information is not included in today’s “update”.

Now the links to the ICS-CERT publications in the previous
blog posts about the updates are no longer particularly useful. The first
update (-A) link now takes you to today’s version of the update (virtually the
same as the original outside of some formatting changes and the ‘wrong’ change
date). The second update (-B) link now takes you to the original version of the
JSAR (again in the new HTML format) with a bogus ‘original release date’ of October 16th,
2012.

I understand that it is easy to make inadvertent changes to
documents when you fool with reformatting the documents. This is why historical
records do not typically get reformatted; there is no need to put their
information integrity at risk.

BTW ICS-CERT: If you need copies of the original .PDF files
to correct the historical record, let me know. I have copies of most of the alerts
and advisories back to June of 2010. I’ll be happy to ship them to you on a
thumb drive….. ;-)

There will be a 30-minute period for public comments
(limited to 5 minutes each on a first-come, first-serve basis) on Friday
morning. Written
comments from the public may also be submitted via snail mail (and this is
NIST?) to:

Monday, April 29, 2013

Earlier today the DHS ICS-CERT published an updated
version of their advisory
from December that reported mitigations in response to the original
ICS-CERT alert from August and an
update of that alert in September. If that seems confusing, try this; today’s
update notes that “ROS Update V3.12 has been produced to mitigate these issues”
but the Ruggedcom
web site reports that V3.12 became available on December 7th,
2012; eleven days before the original advisory was published. It looks like
this update should have been included in the original advisory.

BTW: There is still no word on a more permanent fix for the
HTTPS/SSL service beyond disabling the service that is still being reported in
this updated advisory.

BTW Again: There is no mention in this updated advisory that
Justin Clarke, the researcher who reported the vulnerability in the first
place, has had a chance to review the V3.12 update to verify that it mitigates
the reported vulnerabilities.

The comments from the Lake
Carriers’ Association were generally positive, supporting the failure to
require TWIC readers for Risk Group B and C vessels and facilities. The
American Institute of Architects comment was a copy of a slide presentation
about TWIC Readers used in a continuing education course. The IBIA comments
included a suggestion that the Coast Guard should expand the TWIC Reader
requirement to include Risk Group B vessels and facilities. The Passenger
Vessel Association comment objected to the use of the TWIC as an access control
tool (instead of just a proof of vetting document) and suggested that the
recurring access provisions include in the ANPRM should be restored,
particularly for passenger vessels and terminals.

The IBIA comments were actually
a copy of the prepared remarks that they presented at the TWIC
Reader Meeting in Arlington, VA on April 18th. Unfortunately,
the Coast Guard has yet to publish the transcripts of the comments from that
meeting or the Houston, TX meeting on April 25th (okay, I’ll give
them that that was just last week).

I expect that we will be seeing
more corporate comments like these as we approach the end of the comment period
on May 21st.

We are more than half way through the comment period on this
ICR notice and we only added one comment in the last week bringing the total to
three. I am surprised that there have been no comments to date from any
chemical companies, though I do expect that will change as we get closer to the
May 21st deadline for comments. We do have our first
corporate comment this week, however, from AGL Resources, a natural gas
distribution company.

AGL has three specific suggestions for improving the PSP
dealing with:

• Vendor PSP certification;

• Bulk data submissions to the PSP;
and

• Exemption from PII data sharing
rules.

The issue of dealing with vetting vendor employees will be
the area that will give high-risk chemical facilities the most problem with the
PSP. While facility security managers are certainly going want to restrict
vendor access to critical areas of the facility to the largest extent possible,
there is still going to be some unaccompanied access required for selected
vendors.

I don’t expect ISCD to get too specific about how this
should be handled; the §550 rule about specifying security measures hangs heavy
over their heads. Generally speaking, I would expect them to address this issue
in the ICR by stating that each facility will have to address the issue in
their site security plans which will be reviewed on an individual basis.

I really believe that the most effective way to handle this
issue for most facilities is that they would require such vendors to have a
TWIC that would be verified by a TWIC reader at some centralized location
(security company most likely) and then checked against an approved list at the
facility entrance. Larger facilities would be able to afford a TWIC reader at
the gate.

Which brings up an interesting question; how long before we
have a Tablet Application that scans IDs and compares them to a facility access
list?

Sunday, April 28, 2013

It has been some time since Fred Millar has graced this blog
with comments on a chemical safety issue, but today he returned with a
comment on one
of my recent posts about the West Fertilizer explosion. Fred’s comment was not
about anything that I said in the particular post, rather it is a call to
action to the US Environmental Protection Agency (EPA) to take action in the
case under the General Duty Clause (GDC) of the Clean Air Act {42
USC 7412(r)}.

I suggest that readers take time to read and consider Fred’s
cogent arguments favoring the application of GDC in this case. This certainly
comes closer to the intent of the law than does using the GDC to mandate the
application of inherently safer technology to chemical facility security
requirements for high-risk chemical facilities. It comes closer, but it still
doesn’t quite get there.

Extremely Hazardous
Substance

Fred explains the GDC this way:

The Clean Air Act's General Duty
Clause says "the owners and operators of stationary sources [facilities]
(sic) producing, processing, handling or storing [any extremely hazardous
substance] (sic) have a general duty to identify hazards which may result from
releases [including fire, explosion, toxic gas cloud] (sic) using appropriate
hazard assessment techniques, to design and maintain a safe facility taking
such steps as are necessary to prevent releases, and to minimize the
consequences of accidental releases which do occur."

What the GDC actually says is:

The owners and operators of
stationary sources producing, processing, handling or storing such substances
have a general duty in the same manner and to the same extent as section 654 of
title 29 to identify hazards which may result from such releases using
appropriate hazard assessment techniques, to design and maintain a safe
facility taking such steps as are necessary to prevent releases, and to minimize
the consequences of accidental releases which do occur.

The phrase ‘such substances’ refers to the preceding
sentence in the paragraph that reads:

It shall be the objective of the
regulations and programs authorized under this subsection to prevent the
accidental release and to minimize the consequences of any such release of any
substance listed pursuant to paragraph (3) or any other extremely hazardous
substance.

Fertilizer grade ammonium nitrate is not one of the listed
chemicals nor is it generally recognized as an ‘extremely hazardous substance’
in any regulation or statute that I can find. In fact, DOT regulations classify
fertilizer grade ammonium nitrate as an oxidizer (UN 2067, 5.1) in packing
group III; the least hazardous level that is still regulated by the hazardous material
regulations.

If it is such a low hazard, how did such a large explosion
result? The specific answer to that in this instance is still under
investigation by OSHA, the ATF and the Chemical Safety Board. I expect that the
final report by the CSB will be enlightening and more than a little scary for
other communities that contain large ammonium nitrate storage facilities. But,
we do know that ammonium nitrate is hard to ignite but it will burn. If the
burning ammonium nitrate is confined in some way (by a collapsing storage building
for instance) there is a possibility that an explosion could result.

Releases

Another problem with Fred’s assessment revolves around the
GDC’s use of the term ‘releases’. There is no specific definition of ‘releases’
in §7412, but the GDC does define ‘accidental releases’ as “an unanticipated
emission of a regulated substance or other extremely hazardous substance into
the ambient air from a stationary source” §7412(r)(2)(A). Thus it hardly seems
possible that there was a ‘covered’ release of ammonium nitrate involved in the
West Fertilizer explosion even if fertilizer grade ammonium nitrate were
specifically covered under the GDC.

Who Could Have
Covered West Fertilizer?

If the EPA’s GDC did not apply to the West Fertilizer
Facility, does that mean that no agency was responsible for the regulation of
the handling of ammonium nitrate at the facility? While there are no specific
safety regulations pertaining to the handling of fertilizer grade ammonium
nitrate, the Occupational Health and Safety Administration’s (OSHA) General
Duty Clause (GDC; 29 USC §654) appears to be a much closer fit than does the
EPA’s GDC. The OSHA GDC states that each employer “shall furnish to each of his
employees employment and a place of employment which are free from recognized
hazards that are causing or are likely to cause death or serious physical harm
to his employees” {§654(a)(1)}.

That phrases ‘recognized hazards’ and ‘are likely to cause’
will provide lots of room for lawyers to argue that the West Fertilizer
situation does not really come under the coverage of the OSHA GDC. There may be case law on the books that
covers this type situation, but I suspect that any OSHA action under the GDC in
this particular case will spend a number of years wending its way through the
judicial system.

Who Should Have
Covered the West Fertilizer Situation?

In my not so humble opinion it probably should have been
OSHA that had regulations on the books that would have covered the safe storage
of fertilizer grade ammonium nitrate. The catastrophic potential is clearly
understood even if it is not even a remotely common occurrence. But ammonium
nitrate fertilizer is an agricultural commodity. As such is falls under the
protection of arguably the most powerful lobby in the United States (NO, not
the NRA); the agriculture lobby.

Unfortunately neither OSHA nor the EPA is likely to take on
the Ag Lobby to regulate the safe storage and handling of fertilizer grade
ammonium nitrate. Unless we see a rash of such explosions across rural America,
or someone determines that the cause was something other than an accident, I
doubt that we will see any change in the way that ammonium nitrate fertilizer
is stored in these small retail distribution centers.

This is part of a continuing series of blog posts looking at
the responses to a
joint request for information (RFI) from the National Telecommunications
and Information Administration (NTIA) and the National Institute of Standards
and Technology (NIST) to support their development of incentives to adopt the
improved cybersecurity practices being developed by the NIST as part of the
Cybersecurity Framework mandated by the President’s executive order on
cybersecurity (EO 13636).
The previous posts in the series are listed below.

The comments from both DCS Corp and Romanosky address the
issue of using insurance as part of the incentives package. Romanosky provides
a detailed discussion of both the theoretical basis for cybersecurity insurance
and how it could be used to incentivize increased cybersecurity protections.
The DCS Corp comments focus on how meeting the standards of the Cybersecurity
Framework could lessen the cost of such insurance. The Honeywell comments also
briefly favorably address using cybersecurity insurance as tool to encourage
voluntary framework compliance.

Utility Compliance

The comments from Utilities Telecom Council, not
unexpectedly, focus on cybersecurity incentives from a utility perspective. It
includes a brief discussion of tax incentives that could be applied to the
situation. More importantly, though, it makes the case for centralizing and
combining cybersecurity regulations to reduce the regulatory burden of trying
to comply with multiple regulatory agencies.

Framework then
Incentives

The Honeywell
comments make another important point; it is difficult to talk about incentives
to implement the Cybersecurity Framework without knowing what requirements may
be included in the Framework. The comments then go on to reiterate comments
that we have been hearing associated with CISPA; corporations need immunity
from civil suits for sharing cybersecurity information with the government and
acting in good faith on government supplied threat information, as well as
immunity from anti-trust actions for cooperating and coordinating cybersecurity
activities with other companies.

One Day Left

With only a single day left for submitting timely comments,
it will be interesting to see how many additional comments will be submitted. So
far, there has been no discussion about incentives for control system security
incentives for either owner/operators or system vendors. It has been an
extremely abbreviated comment period, but that was necessitated by the short
time frame the President set forth in the cybersecurity EO.

On Friday afternoon the DHS ICS-CERT published two
advisories for multiple vulnerabilities on MatrikonOPC and a single
vulnerability on Galil RIO-47100. Both advisories were based upon coordinated
disclosures.

NOTE: Along with a recent change in the ICS-CERT web site
format, ICS-CERT has changed their Advisories (and presumably Alerts) from .PDF
pages to .HTML pages. They may still be saved as .PDF files, but this should
remove some of the complaints heard about ICS-CERT using an ‘inherently
vulnerable’ .PDF format for their reports. I’ve even heard some really paranoid
individuals complain that ICS-CERT was using the .PDF reports to spread
spyware.

MatrikonOPC Advisory

ICS-CERT reports that two vulnerabilities [Link added 4-28-13 07:05 CDT] were reported by
Dillon Beresford of Cimation. The vulnerabilities are:

(NOTE: CVE links will not be active for a couple of days) [4-28-13 07:05 CDT]

ICS-CERT notes that a relatively low skilled attacker could
remotely exploit these vulnerabilities to gain access to system files or crash
the configuration utility. They also note that the system must be accessible
via the internet for the remote exploitation to be possible.

MatrikonOPC has produced patches that have been verified by
Dillon to mitigate the vulnerabilities. The link to the patch page in the
advisory does not work [NOTE: As of 04:00 CDT 4-29-13, this has been corrected]. Use this link (http://www.opcsupport.com/ics/support/default.asp?deptID=4590)
to the product advisory page instead. Click on the appropriate product and use
the instructions on the product page to download the patch.

ICS-CERT notes that a moderately skilled attacker could
remotely exploit this vulnerability to execute a DoS attack.

A firmware update is available at http://www.galilmc.com/support/firmware-downloads.php
and Christmas confirms that it resolves the identified vulnerability. The link
in the advisory is good, but it takes you through a ‘You are leaving ICS-CERT’
page which I have always found to be annoying and more than a little mindless.
Interestingly the Firmware Release Notes page also explains that the latest
release fixes a buffer overflow issue not mentioned in the ICS-CERT advisory.

New Format

As I mentioned earlier, ICS-CERT has changed the format for
their Advisories and Alerts. They have gone back and updated earlier alerts (at
least through the Clorius Controls Alert from April 1st. Along with
changing from a .PDF to .HTML file format, they have significantly modified the
typography and slightly modified the lay out. In my opinion (FWIW) the changes
have detracted from the readability of the documents. This is especially true
when the document is saved in a .PDF format.

The change in format also removes two fixtures of the
reports. The recently added ‘Traffic Light Protocol’ (TLP) markings have been
removed from the documents; a good move in my opinion. The product warranty box
at the bottom of the first page of the old format has also been removed. This
was one of those legal disclaimer things that we are seeing in too many areas
of our public lives and the world would be a better place without them.

BTW: The House and Senate will be working in their Home
districts next week, not Washington. Yes, keeping in touch with the voters and
their supporters checkbooks is an important part of their legislative duties.

Friday, April 26, 2013

This afternoon the folks at DHS Infrastructure Security
Compliance Division (ISCD) updated the Critical
Infrastructure – Chemical Security web page. The old page had a link to
information on reporting security concerns. The new page has the following
contact information right on the page:

• CFATS Chemical Facility Security
Tip Line: 877-394-4347

• National Infrastructure
Coordinating Center (NICC): 202-282-9201

Calls to the Tip Line should “involve the CFATS regulation
at your facility or another facility”. In light of the recent news about the
failure of the West Fertilizer facility to file a Top Screen, one would expect
that failure of a facility to complete a Top Screen would be something that
ISCD would like to hear about.

The DHS NICC should be contacted if “a potential security
incident has already occurred”. Security emergencies or in progress terrorist
attacks should be reported to 911 or your local FBI field office.

The only other changes on the pager are some
minor changes to the wording describing the Ammonium Nitrate Security Program
that makes it clearer that the program is still under development.

While a copy of the bill is not yet available a press
release by Lautenberg’s office notes that the bill would establish
additional civil penalties and add criminal penalties for facilities and their
officers that fail to file a Top Screen report when they have inventories of
DHS chemicals of interest (COI) at or above the screening threshold quantities
(STQ) established in the CFATS regulations.

The press release makes it clear that this bill was
introduced in response to the news that the West Fertilizer facility that
exploded last week had not filed a Top Screen for either the anhydrous ammonia
or ammonium nitrate stored at the facility.

Section 2 of the bill amends the definitions found in 49
USC 60101(a). First it re-orders subparagraphs 20 thru 25 so that the terms
are in standard alphabetical order. It then adds definitions for the following
new terms:

• Underground gas storage wellbore;
and

• Underground hazardous liquid
storage wellbore.

State Authority

Section 3 amends 49
USC 60104(c) dealing with preemption. It rewrites paragraph (c) into three
sub-paragraphs and adds 49 USC 60104(c)(3)(B) that specifically allows a State
authority to “enforce a State requirement for the safe construction and
operation of underground gas storage wellbores and underground hazardous liquid
storage wellbores” under two conditions. The first condition is if the Federal
Energy Regulatory Commission (FERC) specifically approves the requirement. The
second condition is if FERC fails to act on a State petition for approval of a
requirement within 30 days of the request being submitted.

Moving Forward

This is a new piece of legislation without a history in
either the Senate or House. This makes it difficult to predict what actions
will be taken in either body. The bill has been referred to the Commerce
Science and Transportation Committee for consideration, but neither Roberts nor
his co-sponsor Sen. Moran (R,KS), serve on that Committee so it will be difficult
for them to convince Chairman Rockefeller (D,WV) to schedule the required
hearings to move the bill forward.

Thursday, April 25, 2013

Today the Transportation Security Administration (TSA)
published a final rule in the Federal Register (78 FR 24353-24360)
removing from the Code of Federal Regulations (CFR) the specific amount of fees
collected for the processing of security threat assessments (STA) for both the
Transportation Worker Identification Credential (TWIC) and the Hazardous
Material Endorsement (HME) for the State administered Commercial Driver’s
License (CDL) program. This change will make it easier for the TSA to adjust
the fee to cover actual program costs as required by 6
USC 469.

As I
noted in an earlier blog post Rep. Clarke (D,NY) introduced HR
1584, the Empowering Local Partners to Prevent Terrorism Act of 2013. The
bill would limit the availability of homeland security grant funds to pay for “any
training, programs, presentations, and speakers regarding counterterrorism that
includes information about violent extremism, homegrown violent extremism, or
domestic violent extremism that is acquired from an entity other than the Department”
{6 USC §344m (the bill actually calls this §899M added to the 2002 Homeland
Security Act but it will be §344m in the USC when it is published)}.

Section 344k of the bill would require DHS to “develop guidance,
outreach, training, and programs in furtherance of national counterterrorism
policy” {§344k(a)}. Within one year of the passage of this bill the Department
will be required to “develop and distribute to State, local, and tribal authorities
courses and materials that comply with the ‘Grant
Programs Directorate Information Bulletin No. 373’ [link added] or
successor bulletin for integration into the curricula for recruits and
recurrent training for experienced law enforcement officers” {§344k(b)}.

Any counterterrorism training about violent extremism,
homegrown violent extremism, or domestic violent extremism to be funded by
homeland security grants under 6 USC §604 and §605 that uses materials other
than those describe above will have to be pre-approved by the “Chief Privacy
Officer and the Office for Civil Rights and Civil Liberties” {§344m}.

Section 344n would require the Department IG to be
responsible for overseeing this program. An oversight program would be
established to regularly review “expenditures of homeland security grant
programs by State, local, and tribal authorities on training, programs,
presentations, and speakers that are not acquired through the Secretary. The IG
would be required to evaluate “whether such expenditure is consistent with
constitutional civil rights and civil liberties, including prohibiting racial,
ethnic, and religious profiling” {§344m(a)(2)}.

Surprisingly there are no provisions included in the bill
that would specifically require the DHS IG to submit reports to Congress on the
efficacy of the program.

Because of its focus on preventing “racial, ethnic, and
religious profiling”, I would be very surprised if this bill is ever marked up
in the House Homeland Security Committee where it was referred. The bill certainly
would not be able to pass in a vote on the floor of the House in the current
session for the same reason.

Wednesday, April 24, 2013

Today the Federal Communications Commission published a
notice of proposed rulemaking (NPRM) in the Federal Register (78 FR 24138-24147)
to “implement provisions of the Middle Class Tax Relief and Job Creation Act of
2012 (Public Safety Spectrum Act) governing deployment of a nationwide public
safety broadband network in the 700 MHz band under a nationwide license issued
to the First Responder Network Authority (FirstNet)”.

• Technical service rules for the
new public safety broadband network to be established pursuant to the Public
Safety Spectrum Act;

• The Commission's statutory
responsibilities as they relate to oversight of FirstNet; and

• The different classes of incumbents
now occupying portions of the spectrum licensed to FirstNet.

The FCC is soliciting public
comment on this NPRM. Comments need to be submitted by May 24th,
2013 and replies to submitted comments need to be submitted by June 10th.
There is nothing in the NPRM that tells how the comments/replies are to be
submitted beyond giving an email address for the point of contact Gene Fullano
(genaro.fullano@fcc.gov). Nor is
there any mention of where the public can see the submitted comments in order
to prepare replies to those comments.

I have not covered much about the FCC’s work over the years,
but I have to say that this is the worst written, least informative NPRM that I
have ever reviewed. There are extensive changes proposed to 47 CFR parts 1, 2,
27 and 90, but nowhere is there a coherent description of what those changes
entail or what the FCC is specifically attempting to do with those changes.

Tuesday, April 23, 2013

As I
noted earlier, Rep. Clarke (D,NY) introduced HR 1583, the Fair, Accurate, Secure, and Timely (FAST)
Redress Act of 2013. This bill would provide procedures for the appeal and
redress for being wrongfully identified as a terrorist threat because of listing
on a terrorist watch list. This bill is virtually identical to HR
1007 that was introduced early in the 112th Session and I’ve
discussed the provisions in some detail in the link above.

Passenger Screening

The bill adds §469b to 6
USC Subchapter VII, Part H (again
the bill uses the standard convention of adding §890A to the 2002 Homeland
Security Act, but I find that convention to be confusing and difficult to track).
The bill specifically applies to “individuals who believe they were wrongly
delayed or prohibited from boarding a commercial aircraft” but has a vaguely
worded coverage that applies to anyone who was “denied a right, benefit, or
privilege by the Department” {§469b(a)} when they were inappropriately
identified as being on the Terrorist Screening Database (TSDB) list.

The bill also repeals 49
USC §44926 {§2(d)} which currently requires similar procedures to be
developed. The requirements for the various TSDB vetting programs run by the
TSA are scattered all over the USC and CFR, so consolidating them in one
location makes a certain amount of sense. Making the changes piecemeal,
however, will just add to the confusion.

Other TSA Security
Threat Assessments

As I said according to the ‘General’ provisions of the bill
the proposal would seem to apply to other TSA administered threat assessment
programs, but the procedures outlined would not be practical for either the
Transportation Workers Identification Credential (TWIC) or the Hazardous
Material Endorsement (HME) for the State administered commercial driver’s
license (CDL) program. Those programs already have a redress process outlined
in 49
CFR 1515.5(b) that applies to being misidentified as being on the TSDB, but
that procedure is not required by law. It would be helpful if the current bill
would provide a legal requirement for that procedure.

CFATS

The current proposal for the CFATS personnel surety program will require the TSA to conduct the TSDB check for that program.
Neither the procedure outlined in this bill nor the §1515.5(b) process will be
applicable to that program. That is because the folks at ISCD do not currently
plan to deny anyone access to high-risk chemical facilities based upon their
appearance on the TSDB. Instead they vaguely plan on initiating a criminal/security
investigation of the individual. Presumably, if there is no criminal conduct
noted there will be no adverse consequence to be appealed. Of course that
completely discounts the possibility of an inappropriately identified individual
being prematurely arrested and then released when not convicted by a court of
law.

Moving Forward

This bill was introduced about this point in the 112th
Congress and never saw any discussion in committee, much less making it to a
committee mark-up or floor vote. Since there is already a redress process in
place (regardless of its adequacy or lack thereof) it is unlikely that this
bill will be considered in committee; Congress usually works on an ‘if it ain’t
broke don’t fix it policy’.

Today the Pipeline and Hazardous Material Safety
Administration (PHMSA) published a notice in the Federal Register (78 FR 23972-23974)
that they intend to submit to the Office of
Management and Budget (OMB) a change to the current information collection request
(ICR) supporting their hazardous liquid pipeline accident reporting program.
The ICR revision would also incorporate the current ICR on the incorporation by
reference of the infantry standard on leak detection.

The changes to the current ICR would reflect proposed
changes to the PHMSA form F 7000-1 Accident Report—Hazardous Liquid Pipeline
Systems. The change would require additional fields on the form to be completed for releases
of “at least 5 gallons but is less than 5 barrels with no additional
consequences” where property damage is less than $50,000 and there are not
deaths or injuries involved. Based upon recent history, PHMSA estimates that
this would affect almost half of the submitted accident reports.

Small Spill Changes

The form revision would require completion of the following
areas on the form that are currently not required for these small spills:

• Part C—pipe characteristics and
specification;

• Part D—consequence information;

• Part E—operating information;

• Part F—drug and alcohol testing
information; and

• Part G—details of the cause

PHMSA estimates that the change would double the time (from
five hours to ten) it takes to fill out the accident report on the
approximately 200 accidents per year that are currently exempted from providing
this additional data.

Form Instruction
Changes

Additionally, PHMSA is proposing changes to the instruction
included on the form to revise how certain data is reported. Those changes
would affect:

PHMSA is soliciting public comments on these proposed
changes. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # PHMSA-2013-006).
Comments should be submitted by June 24th, 2013.

Monday, April 22, 2013

With a terrorist attack and a catastrophic chemical accident
still dominating the domestic news Congress returns to Washington to look at
more mundane matters including freight transportation and the FY 2014 budget.
Two security related hearings will be held looking at cybersecurity and weapons
of mass destruction.

On Wednesday the Panel on 21st Century Freight
Transportation (not a subcommittee, maybe a temporary subcommittee) will hold
a hearing on the Overview of the United States’ Freight Transportation
System. According to a Panel
document, they will be looking at the ‘system’ from an intermodal
perspective. There is no specific mention of hazardous material shipping in
that document, nor shipping security, but the topics may come up

The witness list includes:

• Fred Smith, FedEx Corporation

• Charles W. Moorman, Norfolk
Southern Corporation

• James Newsome, South Carolina Ports Authority

• Derek Leathers, Werner
Enterprises

• Edward Wytkind, Transportation
Trades Department, AFL-CIO

Weapons of Mass
Destruction

The Counterterrorism and Intelligence Subcommittee of the
House Homeland Security Committee will be holding
a hearing on Counterterrorism Efforts to Combat a Chemical, Biological,
Radiological, and Nuclear (CBRN) Attack on the Homeland. This hearing was originally
scheduled for April 11th. The witness list remains the same as I
reported earlier.

Cybersecurity

The Cybersecurity, Infrastructure Protection and Security
Technologies Subcommittee of the House Homeland Security Committee will be holding
a hearing on Thursday on Striking the Right Balance: Protecting Our
Nation's Critical Infrastructure from Cyber Attack and Ensuring Privacy and
Civil Liberties. It is odd that this hearing is coming after the House passage
of CISPA, but that doesn’t appear to be the end of cybersecurity legislation.
No witness list is currently available.

Action on the House
Floor

There is only one bill that is currently scheduled to come
to the floor of the House this week that even remotely concerns chemical safety
matters (much less security of any kind) and that is H.R.
527, the Responsible Helium Administration and Stewardship Act. It will
be debated under a Rule on either Thursday or Friday. I haven’t covered this
bill and I probably won’t mention it again.

NOTE: The bill uses the standard convention of amending the
Homeland Security Act of 2002 and bases its section numbering scheme on that
document. I have converted these to references to 6 USC as that is easier to
find and link to.

General CBRN Focus

This bill would provide for a general focus on CBRN
intelligence by requiring the DHS Office of Intelligence and Analysis (OIA) to “support
homeland security-focused intelligence analysis of terrorist actors, their
claims, and their plans to conduct attacks involving chemical, biological,
radiological, and nuclear [CBRN] materials against the Nation” {§124n(a)(1)}
and to “leverage existing and emerging homeland security intelligence
capabilities and structures to enhance prevention, protection, response, and
recovery efforts with respect to a chemical, biological, radiological, or
nuclear attack” {§124n(a)(4)}.

The information sharing requirement for this intelligence
only requires OIA to “share information and provide tailored analytical support
on these threats to State, local, and tribal authorities” {§124n(a)(4)}. There
is no specific requirement to address sharing of this intelligence information
with potentially affected private sector entities.

Increased Biosecurity
Focus

There is also a more tightly focused concern on biological
weapons. While biological attacks are clearly included in the general focus of
legislation, the bill goes on to specifically require “homeland
security-focused intelligence analysis of global infectious disease, public health,
food, agricultural, and veterinary issues” {§124n(a)(2)}. This is clearly
intended to provide the Department with potential early warning of a bio-based
attack.

Continues to Ignore
Industrial Chemical Attack

As with every WMD related bill that I have seen to date,
this bill continues to ignore the fact that the easiest WMD attack to execute
against this country would be an attack on the storage or transportation of
toxic, flammable or explosive industrial chemicals. While there are security
programs in place to address the security side of the infrastructure protection
equation, there is no one that is specifically tasked with providing the
intelligence development and dissemination that those programs need to be most
effective.

I would like to see an additional sub-paragraph added to §124n(a)
that would read:

“(x) support homeland
security-focused intelligence analysis of risks associated with potential
attacks on dangerous industrial chemical manufacture, storage, distribution and
transportation; with particular emphasis on the potential attempts to steal or
divert industrial chemicals that could be used in the manufacture of improvised
explosives or chemical weapons;”

Moving Forward

This bill will probably see quick action within the House
Homeland Security Committee, particularly since Meehan is the Chair of the
Subcommittee on Cybersecurity, Infrastructure Protection and Security
Technologies. When the bill makes it to the floor of the House it will almost
certainly pass with significant bipartisan support. If it makes it to the floor
in the Senate it will also be very likely to pass.

As I mentioned a week ago, Rep. Hahn (D,CA) introduced HR
1535, the Gauging American Port Security (GAPS) Act. This bill would
require the DHS Inspector General to prepare a classified report on the “remaining
gaps in port security in the United States” {§2(a)(1)}. This bill is nearly
identical to HR
4005 that was passed in the House in the last session, but was never acted
upon in the Senate.

The only difference between this bill and the previous
version is that the previous bill required the Secretary of DHS to produce the
GAPS report not the IG. The change to requiring the IG to conduct the study is
odd in that the bill also requires the report to address the “prioritization of
such gaps and a plan for addressing them” {§2(a)(2)}. This is an inherently
political decision and thus not normally under the purview of the IG.

Classified Report

Requiring the report to be made in classified form with an unclassified
annex {§2(b)} will make sharing of the information problematic with the people
at the local level that will most likely be responsible for fixing the
identified problems. Section 3 of the bill attempts to address this by
requiring the Secretary to “help expedite the clearance process, as appropriate”
for ‘designated’ points of contact. Beyond the generic “Federal agencies and
State, local, or tribal governments, and port system owners and operators” the
bill does not define ‘designated’.

The one point that this bill (and to be fair most bills
requiring the sharing of classified information) fails to recognize is that a
person receiving classified information also has to have specially approved
methods of storing the classified information. Obtaining the approval of the
storage can be as time consuming as, and much more expensive than, obtaining a
security clearance.

Additionally, State and local governments will inevitably
have to go through a public funding process for any improvements that they will
have to make to port operations. Having to rely on a classified report to
justify those expenditures will make that funding process much more difficult.

Moving Forward

In the last session, HR 4005 passed with overwhelming bipartisan
support (the
vote was 411 – 9) in the House, but was never addressed in the Senate. That
was due, at least in part, to its late introduction and passage in the House.
When this bill gets to the floor in the House and if it gets to the floor in
the Senate, it will pass without significant opposition.

If this bill makes it to the floor of the House (or Senate
for that matter) it will almost certainly pass with significant bipartisan
support. I suspect, however, that this will be folded into a Coast Guard
authorization bill. Ms. Hahn represents at least a portion of the Port of Los
Angeles so I suspect that the introduction of this bill was intended for
inclusion in campaign literature as much as actual consideration in Congress.

Saturday, April 20, 2013

This is part of a continuing series of blog posts looking at
the responses to a joint request for information (RFI) from the National
Telecommunications and Information Administration (NTIA) and the National
Institute of Standards and Technology (NIST) to support their development of
incentives to adopt the improved cybersecurity practices being developed by the
NIST as part of the Cybersecurity Framework mandated by the President’s
executive order on cybersecurity (EO 13636).
The previous post in the series is listed below.

This week there were only two responses to the RFI. They
came from a lawyer, Gary Fresen, and from the Advanced Cyber Security Center
(ACSC).

Private Sector
Information Sharing Centers

The ACSC
response proposes the establishment of four regional private sector
entities to provide a forum for the discussion and dissemination of
cybersecurity information including threat and response information. It notes
that these regional information sharing centers would be patterned on their
organization which has successfully set up a forum in the Boston area for this
type of information sharing with weekly meetings allowing face to face
exchanges.

Privileged
Communications

Mr. Fresen proposes
setting up a new class of privileged communications that would allow for the
internal collection and analysis of cybersecurity information in critical
infrastructure organizations and the privileged sharing of that information
with the appropriate ISACs and CERTSs. The detailed proposal includes
legislative language for the establishment of that new class of privileged
communications.

Moving Forward

As I noted in my
post about the RFI the short deadline for this RFI is necessitated by the
time constraints set forth in the Executive Order. It may be disappointing to
see only a total of three comments submitted to date, it usually takes at least
a month for corporate type responses to these RFI. With only nine-days left in
the comment period, I suspect that we will be seeing a number of comments
coming in the next week.

This is the final post looking at the responses that the
National Institute of Standards and Technology (NIST) has received in response
to its request
for information (RFI) in support of the development of the Framework for Reducing Cyber Risks to
Critical Infrastructure as outlined in President Obama’s Executive Order on
critical infrastructure cybersecurity (EO 13636).
The earlier posts in the series are:

There were only five new responses added in the last week
and it seems clear that NIST is no longer adding to the list; it was last
updated on the 16th. There is no new information concerning control
system security or chemical-specific cybersecurity in the new posts.

• An extended public comment period
where views can be submitted in person; and

• A discussion of where NIST is
going with the information it has.

It is not clear from the agenda currently available if there
will be a chance for the public to discuss the proposals being presented. As
the date for the meeting gets closer, I would not be surprised to see the
current agenda being fleshed out, at least a little.

While I didn’t actually think that a bleve was responsible
for the explosion at West Fertilizer this week (though I did discuss
the possibility) I now have visual evidence that one was not involved (at
least not an anhydrous ammonia bleve). A Reuter’s photo
in a story on the Toronto Sun web site shows investigators (look real
close) walking through the rubble around the anhydrous ammonia tanks. All five
tanks that I identified earlier as probable anhydrous ammonia tanks are still
present and intact.

It is interesting that the Department of Homeland Security
has been telling just about anyone that has asked (I received the same
information from a Department spokesman) that the West Fertilizer facility that
blew up this week is not covered under the Chemical Facility Anti-Terrorism
Standards (CFATS) because the facility had never filed a Top Screen which would
have initiated a review of their terrorism risk by the Infrastructure Security
Compliance Division (ISCD). The Department is usually very reluctant to talk
about such matters since it would violate the CFATS regulations if they
discussed the status of a facility that was regulated.

Of course part of the reason for the different approach in
this case is that DHS is the only organization at the federal level that
currently has a legal mandate to regulate facilities that store ammonium
nitrate fertilizer and they don’t want any part of the responsibility for the
situation in West, TX. Which is kind of silly since their mandate has nothing
to do with safe storage; they are responsible for overseeing the secure storage
of the material under the CFATS program. Okay, and their much delayed ammonium
nitrate security program would also regulate the sale and transfer of ammonium
nitrate, but that isn’t involved here either.

What is a Top Screen

The CFATS program was designed to regulate security at
chemical facilities that are at high-risk of being attacked by terrorist. It
was set up so that any facility that has an inventory of certain DHS chemicals
of interest (COI; chemicals that could cause a catastrophic incident if
released or detonated at the facility or could be used to make improvised
explosives or chemical weapons) at or above a certain screening threshold
quantity (STQ) is required to submit an online report called a Top Screen. This
report provides DHS with information about the quantities of COI stored at the
facility and some basic information about the facility (including its
location).

DHS takes this Top Screen information and reviews it to make
a preliminary determination if the facility is at high-risk of a terrorist
attack. There is a lot of discussion going on right now about how ISCD makes
that determination (see here
and here)
and DHS isn’t publicly discussing the details of their review process for
security reasons. Having said that it doesn’t take a lot of insider knowledge
to guess that for a local fertilizer distribution facility like West Fertilizer,
that review would probably concentrate on the size and location of the
surrounding community for determining the release threat (detonation of stored
material on site). My guess is that ISCD would conclude that a small town like
West, TX, lacking some sort of iconic international claim to fame, would not be
considered to be a serious terrorist target.

Facilities that submit a Top Screen and subsequently
determined not to be at high-risk of a terrorist attack are told they are not
covered under the CFATS program and reminded that if their situation changes
significantly they should re-submit a Top Screen. Then the folks at ISCD forget about them. The
Department has received over 40,000 Top Screens since the program started in
2007 and less than 4,000 facilities are currently covered under CFATS. Most
places are just not realistic terrorist targets.

Why no Top Screen in
this Case

I have not talked to anyone from West Fertilizer; they don’t
need gadflies bothering them now. They have lost their livelihood, friends,
family and neighbors; they have more important things to do than talk to folks
like me. I can, however, make an educated guess about why a facility like West Fertilizer
might not have submitted a Top Screen.

First off, the company is a small company; news reports say
10 employees. It is owned and operated by a local man who set up shop in 1962.
He probably has a lady working in the office that takes customer orders, opens
the mail, makes bank deposits and writes out the checks for suppliers and payroll.
He certainly does not have an environmental health and safety professional on
staff. Like the vast majority of people in this country he has probably never
heard of the Federal Register and has certainly never read it.

When the EPA’s risk management program came into being he
was probably not aware of it and would have been grandfathered out of its
coverage because of his size and location. In 2006 when that grandfather clause
expired he wasn’t aware of it and was subsequently fined for not having a risk
management program in place. He has reportedly made all of the required program
filings since then.

In 2007 when the CFATS program became operational, it is
very likely that he did not hear anything about it. Even if he did, he wouldn’t
have considered his fertilizer distribution operation to be a chemical
facility. I would even bet that the discussions within the fertilizer industry
were ignored because of the relatively small size of his operation and the fact
that no one would expect to see terrorist in West, TX.

Now, how many other fertilizer distributors across the
country have not submitted Top Screens? I don’t know and I don’t think anybody
does. I would bet that there are a couple of people in ISCD that are currently
trying to find out. I would guess that there are hundreds, maybe as many as a
couple thousand, of similarly sized distributors in small towns across this
country. If there are farmers there will be fertilizer and anhydrous ammonia
and ammonium nitrate are two of the cheapest and most effective methods of
increasing soil nitrogen content.

Would West Fertilizer
have been Regulated

Before I go down this road, let me make it absolutely clear;
if West Fertilizer had been a CFATS covered facility, DHS would still have had
nothing to do with preventing the current incident since it looks like an
industrial accident not a terrorist attack. CFATS is a security program not a
safety program. If CFATS inspectors saw a grossly unsafe situation, they might
mention it to the owner, but they couldn’t do anything about it. They probably
couldn’t even report it, legally, to OSHA because of the information security
provisions of the CFATS regulations.

So, if West had submitted a Top Screen, would they have been
given a preliminary designation as a high-risk chemical? As I mentioned earlier
ISCD isn’t discussing the details of the methodology they use to evaluate the
Top Screen data, but for a release type chemical it would mainly have to do
with the number of people that would be directly affected by a worst case
release (and the plant blowing up would certainly qualify as that). While the
community in West, TX is certainly devastated, I’m believe that their small
size would have caused ISCD to say that there wasn’t a significant risk of a
terrorist attack on the facility.

Now ammonium nitrate is not just a release risk. Since it
can be used to make a real explosive (and no, the stuff that blew up so
spectacularly this week is not really an explosive; conditions had to be just
right for it to explode) and is an internationally preferred component for IEDs,
ISCD also considers ammonium nitrate to be a theft/diversion risk. But West
apparently handled and shipped their ammonium nitrate in bulk (big trucks or
medium sized trailers), so they probably would not have made the cut for that
risk either.

Should Fertilizer
Distributors be Covered

An interesting question now arises. Does the spectacular
explosion in West, TX change that calculus? There has been a huge amount of
press coverage of this incident and there would have been even more if the
fools in Boston were not still running around playing at being terrorists.
While the Boston attack was smaller and produced fewer casualties and damage,
it caught more news coverage. But even with Boston and a couple of ricin
letters, the explosion in West made national and international news. In a
slower news cycle the coverage would have been much larger.

Since one of the things that terrorists crave is
publicity, the coverage of this incident may make the terrorist’s calculation
of desirable targets slide towards favoring attacks on fertilizer distributors.
It will be interesting to see if the folks at ISCD re-look at how they assess
the release risk at these types of facilities. I think that facilities where
there are things like apartment buildings, nursing homes or schools (all three
in West, TX) within the potential 2 psi overpressure zone (a measure of blast
effects) of the facility should have their terrorist risk potential raised to
at least the Tier 4 level.

Friday, April 19, 2013

There have been two comments about to my
post from last night about the explosion at the West Fertilizer facility in
West, TX (which is actually in the east-central portion of the State between
Dallas and San Antonio). Those comments and my replies provide some additional
information about the potential cause of the incident.

“There is not enough space for a
chemistry lesson but AN will decompose into oxides of N2 and water when heated.
This reaction is very exothermic. In bulk storage situations the heat cannot
dissipate faster than it is being produced and a runaway decomposition can
occur.”

If you are interested in a brief chemistry lesson on the
decomposition see this at
Yahoo.com.

• Each mole (80.0 g) of ammonium
nitrate produces 3.25 moles of gas. Combined with the exotherm produced by the
reaction this provides for a rapidly expanding shell of gas which produces the
devastating shock wave.

• The reaction also produces oxygen
(O2) that promotes additional combustion of the already existing
fire that would have started the heat rise in the first place in this instance.

• Fires frequently cause the
collapse of storage tanks. This could provide the confinement to change the
burning ammonium nitrate into exploding ammonium nitrate.

Probably not a Bleve

Ed Clarke doesn’t believe that the explosion was caused by
an anhydrous ammonia bleve based upon the shock wave seen in various
videos. He notes:

“Under intense heat form the fire,
in a confined space, the AN in the storage bins pictured in the GE imagery
(BTW, Bing birds eye view [here’s a link;
click on Birds Eye] provides much better perspective) would have exploded.”

He does have questions about the source of the fire seen in
the videos and suggests possible propane storage tanks. I suspect either that
or some of the open top transport containers for ammonium nitrate could have
been the fuel source, or even some of the other storage tanks that I mentioned
in the original post.

A Potential Terrorist
Target?

In any case, we will need to watch for the CSB reports on
this investigation. Also note that the fire and explosion (and its extensive
media coverage) show that an attack on small, out-of-the-way facilities like
this could still bring the notoriety that terrorists crave. How much security
do you see in the aerial view of the facility? Not even a fence.

ISCD – How many of these facilities have not been reviewed
because no Top Screen was submitted? How many facilities like this that did
submit Top Screens received a pass because they were in small towns?

Two pages earlier in the Congressional Record (same link as
above) there is also a notice that a 13th Amendment had been added
to the Rule for the consideration of HR 624. This new
amendment, submitted by Chairman McCaul (Homeland Security) would make DHS
and the Justice Department the action agencies for receiving shared information
by amending §1104(b)(1)(A)(ii) and §1104(b)(1)(A)(ii) by replacing the words “Federal
Government” with “entities of the Department of Homeland Security and the
Department of Justice designated under paragraphs (1) and (2) of section 2(b)
of the Cyber Intelligence Sharing and Protection Act”. This amendment also
passed in a voice
vote of 409 – 5.

This last change was made to mollify some of the critics of
the bill that were afraid that NSA and the military would become the action
agencies for receiving this information. It is not clear at this point if this
change would overcome President Obama’s intention
to veto the bill.

The bill will now move to the Senate where, if it is actually
brought to the floor of the Senate by Sen. Reid (D,NV), there is a good chance
that a similar bipartisan vote would send the bill to the President.

Out of 63 bills introduced in the House and Senate yesterday
there were two that may be of potential interest to readers of this blog as
they concern pipeline safety and cybersecurity response. The bills are:

HR 1640Latest Title: To amend
titles 10 and 32, United States Code, to enhance capabilities to prepare for
and respond to cyber emergencies, and for other purposes. Sponsor: Rep
Israel, Steve (D,NY)

About Me

Patrick Coyle is a freelance writer dealing with chemical security and safety issues. He has 15 years experience in the US Army with extensive experience in training development, delivery and evaluation. He spent 20 years working in the chemical process industry developing and improving chemical manufacturing processes with a large emphasis on chemical and process safety. He currently writes a daily blog, the Chemical Facility Security News, examining the issues associated with the Chemical Facility Anti-Terrorism Standards administered by the Department of Homeland Security.